Domů Procházet Nápověda
Registrovat se Přihlásit se
TonyT
/
chatbot
1
0
Rozštěpit 0
Soubory Úkoly 0 Pull Requesty 0 Wiki
Strom: 89dc9c9d0f
Větve Značky
chatbot
/
server
/
rbac.test.ts

rbac.test.ts 14 KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325 
  1. import { describe, expect, it, vi } from "vitest";
    2. 

  2. import { appRouter } from "./routers";
    3. 

  3. import type { TrpcContext } from "./_core/context";
    4. 

  4. 

  5. type AuthenticatedUser = NonNullable<TrpcContext["user"]>;
    6. 

  6. 

  7. /* ─── Context helpers for each role ─── */
    8. 

  8. function createContext(role: "admin" | "agent" | "user" | null): TrpcContext {
    9. 

  9.   if (!role) {
    10. 

  10.     return {
    11. 

  11.       user: null,
    12. 

  12.       req: { protocol: "https", headers: {} } as TrpcContext["req"],
    13. 

  13.       res: { clearCookie: vi.fn() } as unknown as TrpcContext["res"],
    14. 

  14.     };
    15. 

  15.   }
    16. 

  16. 

  17.   const user: AuthenticatedUser = {
    18. 

  18.     id: role === "admin" ? 1 : role === "agent" ? 2 : 3,
    19. 

  19.     openId: `${role}-openid`,
    20. 

  20.     email: `${role}@homelegance.com`,
    21. 

  21.     name: `Test ${role.charAt(0).toUpperCase() + role.slice(1)}`,
    22. 

  22.     loginMethod: "manus",
    23. 

  23.     role,
    24. 

  24.     createdAt: new Date(),
    25. 

  25.     updatedAt: new Date(),
    26. 

  26.     lastSignedIn: new Date(),
    27. 

  27.   };
    28. 

  28. 

  29.   return {
    30. 

  30.     user,
    31. 

  31.     req: { protocol: "https", headers: {} } as TrpcContext["req"],
    32. 

  32.     res: { clearCookie: vi.fn() } as unknown as TrpcContext["res"],
    33. 

  33.   };
    34. 

  34. }
    35. 

  35. 

  36. /* ─── Mock database ─── */
    37. 

  37. vi.mock("./db", () => {
    38. 

  38.   const users = [
    39. 

  39.     { id: 1, openId: "admin-openid", name: "Test Admin", email: "admin@homelegance.com", role: "admin", lastSignedIn: new Date(), createdAt: new Date(), updatedAt: new Date() },
    40. 

  40.     { id: 2, openId: "agent-openid", name: "Test Agent", email: "agent@homelegance.com", role: "agent", lastSignedIn: new Date(), createdAt: new Date(), updatedAt: new Date() },
    41. 

  41.     { id: 3, openId: "user-openid", name: "Test User", email: "user@homelegance.com", role: "user", lastSignedIn: new Date(), createdAt: new Date(), updatedAt: new Date() },
    42. 

  42.   ];
    43. 

  43. 

  44.   return {
    45. 

  45.     createConversation: vi.fn(async (data: any) => ({ id: 1, ...data, createdAt: new Date(), updatedAt: new Date() })),
    46. 

  46.     getConversations: vi.fn(async () => []),
    47. 

  47.     getConversationById: vi.fn(async (id: number) => ({ id, sessionId: "test", status: "active", createdAt: new Date(), updatedAt: new Date() })),
    48. 

  48.     getConversationBySessionId: vi.fn(async () => null),
    49. 

  49.     updateConversationStatus: vi.fn(async (id: number, status: string) => ({ id, status })),
    50. 

  50.     getConversationStats: vi.fn(async () => ({ total: 5, active: 2, escalated: 1, resolved: 1, closed: 1 })),
    51. 

  51.     addMessage: vi.fn(async (data: any) => ({ id: 1, ...data, createdAt: new Date() })),
    52. 

  52.     getMessagesByConversation: vi.fn(async () => []),
    53. 

  53.     saveWorkflow: vi.fn(async (wid: string, nodes: any[], edges: any[]) => ({ workflowId: wid, nodeCount: nodes.length, edgeCount: edges.length })),
    54. 

  54.     getWorkflow: vi.fn(async () => ({ nodes: [], edges: [] })),
    55. 

  55.     getAllUsers: vi.fn(async () => users),
    56. 

  56.     updateUserRole: vi.fn(async (userId: number, role: string) => {
    57. 

  57.       const u = users.find(u => u.id === userId);
    58. 

  58.       if (!u) return null;
    59. 

  59.       return { ...u, role };
    60. 

  60.     }),
    61. 

  61.     getUserById: vi.fn(async (userId: number) => users.find(u => u.id === userId)),
    62. 

  62.     getUserByEmail: vi.fn(async (email: string) => users.find(u => u.email === email) || null),
    63. 

  63.     deleteUser: vi.fn(async (userId: number) => users.find(u => u.id === userId) || null),
    64. 

  64.     createInvitation: vi.fn(async (data: any) => ({ id: 1, ...data, createdAt: new Date() })),
    65. 

  65.     getAllInvitations: vi.fn(async () => []),
    66. 

  66.     getInvitationByToken: vi.fn(async () => null),
    67. 

  67.     getInvitationByEmail: vi.fn(async () => []),
    68. 

  68.     updateInvitationStatus: vi.fn(async (id: number, status: string) => ({ id, status })),
    69. 

  69.     expireOldInvitations: vi.fn(async () => {}),
    70. 

  70.     createAuditLog: vi.fn(async (data: any) => ({ id: 1, ...data, createdAt: new Date() })),
    71. 

  71.     getAuditLogs: vi.fn(async () => []),
    72. 

  72.     getConversationsAdvanced: vi.fn(async () => ({ conversations: [], total: 0, page: 1, pageSize: 20, totalPages: 0 })),
    73. 

  73.     getConversationMessageCounts: vi.fn(async () => ({})),
    74. 

  74.     getAgentUsers: vi.fn(async () => []),
    75. 

  75.     bulkUpdateConversationStatus: vi.fn(async (ids: number[]) => ({ updated: ids.length })),
    76. 

  76.     deleteConversations: vi.fn(async (ids: number[]) => ({ deleted: ids.length })),
    77. 

  77.     getUserByEmailWithPassword: vi.fn(async () => null),
    78. 

  78.     createUserWithPassword: vi.fn(async (data: any) => ({ id: 10, ...data })),
    79. 

  79.     updateUserPassword: vi.fn(async () => {}),
    80. 

  80.     createPasswordResetToken: vi.fn(async (data: any) => ({ id: 1, ...data })),
    81. 

  81.     getPasswordResetToken: vi.fn(async () => null),
    82. 

  82.     markPasswordResetTokenUsed: vi.fn(async () => {}),
    83. 

  83.     upsertUser: vi.fn(),
    84. 

  84.     getUserByOpenId: vi.fn(),
    85. 

  85.   };
    86. 

  86. });
    87. 

  87. 

  88. vi.mock("./_core/llm", () => ({
    89. 

  89.   invokeLLM: vi.fn(async () => ({
    90. 

  90.     id: "test",
    91. 

  91.     created: Date.now(),
    92. 

  92.     model: "test",
    93. 

  93.     choices: [{ index: 0, message: { role: "assistant", content: "Test response" }, finish_reason: "stop" }],
    94. 

  94.   })),
    95. 

  95. }));
    96. 

  96. 

  97. /* ═══════════════════════════════════════════════════════════════
    98. 

  98.    AGENT PROCEDURES — require agent or admin role
    99. 

  99.    ═══════════════════════════════════════════════════════════════ */
    100. 

  100. 

  101. describe("Agent procedures — role-based access", () => {
    102. 

  102.   describe("Unauthenticated users", () => {
    103. 

  103.     it("rejects agent.stats for unauthenticated user", async () => {
    104. 

  104.       const caller = appRouter.createCaller(createContext(null));
    105. 

  105.       await expect(caller.agent.stats()).rejects.toThrow();
    106. 

  106.     });
    107. 

  107. 

  108.     it("rejects agent.conversations for unauthenticated user", async () => {
    109. 

  109.       const caller = appRouter.createCaller(createContext(null));
    110. 

  110.       await expect(caller.agent.conversations({})).rejects.toThrow();
    111. 

  111.     });
    112. 

  112. 

  113.     it("rejects agent.reply for unauthenticated user", async () => {
    114. 

  114.       const caller = appRouter.createCaller(createContext(null));
    115. 

  115.       await expect(caller.agent.reply({ conversationId: 1, content: "Hi" })).rejects.toThrow();
    116. 

  116.     });
    117. 

  117.   });
    118. 

  118. 

  119.   describe("Regular users (role=user)", () => {
    120. 

  120.     it("rejects agent.stats for regular user", async () => {
    121. 

  121.       const caller = appRouter.createCaller(createContext("user"));
    122. 

  122.       await expect(caller.agent.stats()).rejects.toThrow("Agent or admin access required");
    123. 

  123.     });
    124. 

  124. 

  125.     it("rejects agent.conversations for regular user", async () => {
    126. 

  126.       const caller = appRouter.createCaller(createContext("user"));
    127. 

  127.       await expect(caller.agent.conversations({})).rejects.toThrow("Agent or admin access required");
    128. 

  128.     });
    129. 

  129. 

  130.     it("rejects agent.reply for regular user", async () => {
    131. 

  131.       const caller = appRouter.createCaller(createContext("user"));
    132. 

  132.       await expect(caller.agent.reply({ conversationId: 1, content: "Hi" })).rejects.toThrow("Agent or admin access required");
    133. 

  133.     });
    134. 

  134. 

  135.     it("rejects agent.messages for regular user", async () => {
    136. 

  136.       const caller = appRouter.createCaller(createContext("user"));
    137. 

  137.       await expect(caller.agent.messages({ conversationId: 1 })).rejects.toThrow("Agent or admin access required");
    138. 

  138.     });
    139. 

  139. 

  140.     it("rejects agent.updateStatus for regular user", async () => {
    141. 

  141.       const caller = appRouter.createCaller(createContext("user"));
    142. 

  142.       await expect(caller.agent.updateStatus({ conversationId: 1, status: "resolved" })).rejects.toThrow("Agent or admin access required");
    143. 

  143.     });
    144. 

  144.   });
    145. 

  145. 

  146.   describe("Agent users (role=agent)", () => {
    147. 

  147.     it("allows agent.stats for agent user", async () => {
    148. 

  148.       const caller = appRouter.createCaller(createContext("agent"));
    149. 

  149.       const stats = await caller.agent.stats();
    150. 

  150.       expect(stats).toHaveProperty("total");
    151. 

  151.       expect(stats).toHaveProperty("active");
    152. 

  152.       expect(stats).toHaveProperty("escalated");
    153. 

  153.     });
    154. 

  154. 

  155.     it("allows agent.conversations for agent user", async () => {
    156. 

  156.       const caller = appRouter.createCaller(createContext("agent"));
    157. 

  157.       const result = await caller.agent.conversations({});
    158. 

  158.       expect(Array.isArray(result)).toBe(true);
    159. 

  159.     });
    160. 

  160. 

  161.     it("allows agent.messages for agent user", async () => {
    162. 

  162.       const caller = appRouter.createCaller(createContext("agent"));
    163. 

  163.       const result = await caller.agent.messages({ conversationId: 1 });
    164. 

  164.       expect(Array.isArray(result)).toBe(true);
    165. 

  165.     });
    166. 

  166. 

  167.     it("allows agent.reply for agent user", async () => {
    168. 

  168.       const caller = appRouter.createCaller(createContext("agent"));
    169. 

  169.       const result = await caller.agent.reply({ conversationId: 1, content: "I can help you" });
    170. 

  170.       expect(result).toHaveProperty("id");
    171. 

  171.       expect(result.content).toBe("I can help you");
    172. 

  172.     });
    173. 

  173.   });
    174. 

  174. 

  175.   describe("Admin users (role=admin)", () => {
    176. 

  176.     it("allows agent.stats for admin user", async () => {
    177. 

  177.       const caller = appRouter.createCaller(createContext("admin"));
    178. 

  178.       const stats = await caller.agent.stats();
    179. 

  179.       expect(stats.total).toBe(5);
    180. 

  180.     });
    181. 

  181. 

  182.     it("allows agent.conversations for admin user", async () => {
    183. 

  183.       const caller = appRouter.createCaller(createContext("admin"));
    184. 

  184.       const result = await caller.agent.conversations({});
    185. 

  185.       expect(Array.isArray(result)).toBe(true);
    186. 

  186.     });
    187. 

  187.   });
    188. 

  188. });
    189. 

  189. 

  190. /* ═══════════════════════════════════════════════════════════════
    191. 

  191.    ADMIN PROCEDURES — require admin role only
    192. 

  192.    ═══════════════════════════════════════════════════════════════ */
    193. 

  193. 

  194. describe("Admin procedures — role-based access", () => {
    195. 

  195.   describe("Users management", () => {
    196. 

  196.     it("rejects users.list for unauthenticated user", async () => {
    197. 

  197.       const caller = appRouter.createCaller(createContext(null));
    198. 

  198.       await expect(caller.users.list()).rejects.toThrow();
    199. 

  199.     });
    200. 

  200. 

  201.     it("rejects users.list for regular user", async () => {
    202. 

  202.       const caller = appRouter.createCaller(createContext("user"));
    203. 

  203.       await expect(caller.users.list()).rejects.toThrow();
    204. 

  204.     });
    205. 

  205. 

  206.     it("rejects users.list for agent user", async () => {
    207. 

  207.       const caller = appRouter.createCaller(createContext("agent"));
    208. 

  208.       await expect(caller.users.list()).rejects.toThrow();
    209. 

  209.     });
    210. 

  210. 

  211.     it("allows users.list for admin user", async () => {
    212. 

  212.       const caller = appRouter.createCaller(createContext("admin"));
    213. 

  213.       const result = await caller.users.list();
    214. 

  214.       expect(Array.isArray(result)).toBe(true);
    215. 

  215.       expect(result.length).toBe(3);
    216. 

  216.     });
    217. 

  217. 

  218.     it("allows users.updateRole for admin user", async () => {
    219. 

  219.       const caller = appRouter.createCaller(createContext("admin"));
    220. 

  220.       const result = await caller.users.updateRole({ userId: 2, role: "admin" });
    221. 

  221.       expect(result).toHaveProperty("role", "admin");
    222. 

  222.     });
    223. 

  223. 

  224.     it("prevents admin from changing own role", async () => {
    225. 

  225.       const caller = appRouter.createCaller(createContext("admin"));
    226. 

  226.       await expect(
    227. 

  227.         caller.users.updateRole({ userId: 1, role: "user" })
    228. 

  228.       ).rejects.toThrow("You cannot change your own role");
    229. 

  229.     });
    230. 

  230. 

  231.     it("rejects users.updateRole for agent user", async () => {
    232. 

  232.       const caller = appRouter.createCaller(createContext("agent"));
    233. 

  233.       await expect(
    234. 

  234.         caller.users.updateRole({ userId: 3, role: "agent" })
    235. 

  235.       ).rejects.toThrow();
    236. 

  236.     });
    237. 

  237. 

  238.     it("allows users.getById for admin user", async () => {
    239. 

  239.       const caller = appRouter.createCaller(createContext("admin"));
    240. 

  240.       const result = await caller.users.getById({ userId: 2 });
    241. 

  241.       expect(result).toHaveProperty("name", "Test Agent");
    242. 

  242.     });
    243. 

  243.   });
    244. 

  244. 

  245.   describe("Workflow management", () => {
    246. 

  246.     it("rejects workflow.save for unauthenticated user", async () => {
    247. 

  247.       const caller = appRouter.createCaller(createContext(null));
    248. 

  248.       await expect(
    249. 

  249.         caller.workflow.save({ workflowId: "test", nodes: [], edges: [] })
    250. 

  250.       ).rejects.toThrow();
    251. 

  251.     });
    252. 

  252. 

  253.     it("rejects workflow.save for regular user", async () => {
    254. 

  254.       const caller = appRouter.createCaller(createContext("user"));
    255. 

  255.       await expect(
    256. 

  256.         caller.workflow.save({ workflowId: "test", nodes: [], edges: [] })
    257. 

  257.       ).rejects.toThrow();
    258. 

  258.     });
    259. 

  259. 

  260.     it("rejects workflow.save for agent user", async () => {
    261. 

  261.       const caller = appRouter.createCaller(createContext("agent"));
    262. 

  262.       await expect(
    263. 

  263.         caller.workflow.save({ workflowId: "test", nodes: [], edges: [] })
    264. 

  264.       ).rejects.toThrow();
    265. 

  265.     });
    266. 

  266. 

  267.     it("allows workflow.save for admin user", async () => {
    268. 

  268.       const caller = appRouter.createCaller(createContext("admin"));
    269. 

  269.       const result = await caller.workflow.save({
    270. 

  270.         workflowId: "test",
    271. 

  271.         nodes: [{
    272. 

  272.           workflowId: "test",
    273. 

  273.           nodeId: "n1",
    274. 

  274.           type: "greeting",
    275. 

  275.           label: "Welcome",
    276. 

  276.           config: {},
    277. 

  277.           positionX: 100,
    278. 

  278.           positionY: 100,
    279. 

  279.         }],
    280. 

  280.         edges: [],
    281. 

  281.       });
    282. 

  282.       expect(result.workflowId).toBe("test");
    283. 

  283.       expect(result.nodeCount).toBe(1);
    284. 

  284.     });
    285. 

  285. 

  286.     it("rejects workflow.load for agent user", async () => {
    287. 

  287.       const caller = appRouter.createCaller(createContext("agent"));
    288. 

  288.       await expect(
    289. 

  289.         caller.workflow.load({ workflowId: "test" })
    290. 

  290.       ).rejects.toThrow();
    291. 

  291.     });
    292. 

  292. 

  293.     it("allows workflow.load for admin user", async () => {
    294. 

  294.       const caller = appRouter.createCaller(createContext("admin"));
    295. 

  295.       const result = await caller.workflow.load({ workflowId: "test" });
    296. 

  296.       expect(result).toHaveProperty("nodes");
    297. 

  297.       expect(result).toHaveProperty("edges");
    298. 

  298.     });
    299. 

  299.   });
    300. 

  300. });
    301. 

  301. 

  302. /* ═══════════════════════════════════════════════════════════════
    303. 

  303.    PUBLIC PROCEDURES — accessible without auth
    304. 

  304.    ═══════════════════════════════════════════════════════════════ */
    305. 

  305. 

  306. describe("Public procedures — no auth required", () => {
    307. 

  307.   it("allows auth.me without authentication", async () => {
    308. 

  308.     const caller = appRouter.createCaller(createContext(null));
    309. 

  309.     const result = await caller.auth.me();
    310. 

  310.     expect(result).toBeNull();
    311. 

  311.   });
    312. 

  312. 

  313.   it("returns user for authenticated auth.me", async () => {
    314. 

  314.     const caller = appRouter.createCaller(createContext("admin"));
    315. 

  315.     const result = await caller.auth.me();
    316. 

  316.     expect(result).toHaveProperty("name", "Test Admin");
    317. 

  317.     expect(result).toHaveProperty("role", "admin");
    318. 

  318.   });
    319. 

  319. 

  320.   it("allows chat.getMessages without authentication", async () => {
    321. 

  321.     const caller = appRouter.createCaller(createContext(null));
    322. 

  322.     const result = await caller.chat.getMessages({ sessionId: "test" });
    323. 

  323.     expect(result).toHaveProperty("messages");
    324. 

  324.   });
    325. 

  325. });
    326.